kubernetes-ingress-controller: KongCredentials are not associated immediately or never with KongConsumers

NOTE: GitHub issues are reserved for bug reports only. For anything else, please join the conversation in Kong Nation https://discuss.konghq.com/c/kubernetes.

Summary

When a KongConsumer is created along with an associated KongCredential, it can take anywhere between 0 to infinite time in sec for the KongCredential records to get stored in Cassandra. The KongConsumer info is immediately stored whereas the credential info shows an unacceptable amount of latency almost every time.

As a result, Authentication fails as Kong can’t find a valid consumer-credential pair.

Note: Latency is mostly seen from creation of the second consumer and credential onwards or if CRDs are created back to back one after the other.

Kong Ingress controller version 0.3.0

Kong or Kong Enterprise version 1.0.3

Kubernetes version

Client Version: version.Info{Major:“1”, Minor:“9”, GitVersion:“v1.9.5”, GitCommit:“f01a2bf98249a4db383560443a59bed0c13575df”, GitTreeState:“clean”, BuildDate:“2018-03-19T15:59:24Z”, GoVersion:“go1.9.3”, Compiler:“gc”, Platform:“linux/amd64”} Server Version: version.Info{Major:“1”, Minor:“9”, GitVersion:“v1.9.5”, GitCommit:“f01a2bf98249a4db383560443a59bed0c13575df”, GitTreeState:“clean”, BuildDate:“2018-03-19T15:50:45Z”, GoVersion:“go1.9.3”, Compiler:“gc”, Platform:“linux/amd64”}

Environment

  • Cloud provider or hardware configuration: Vmware Vsphere/K8s
  • OS (e.g. from /etc/os-release): CentOS 7
  • Kernel (e.g. uname -a): Linux ****-master-01 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
  • Install tools: YAML/Jenkins
  • Others:

What happened

Unacceptable latency occurred whenever a new consumer and credential crd objects were created and authentication kept failing.

I created the following CRDs :

apiVersion: configuration.konghq.com/v1
kind: KongConsumer
metadata:
  name: consumer-pqr
username: pqr
---

apiVersion: configuration.konghq.com/v1
kind: KongCredential
metadata:
  name: credential-pqr
consumerRef: consumer-pqr
type: basic-auth
config:
  username: pqr
  password: pqr

I then checked cassandra records and there is no credential for consumer with username ‘pqr’.

screenshot 2019-02-06 15 11 33

API call result:

screenshot 2019-02-06 15 15 42

Expected behavior

KongConsumers and KongCredentials should get created at the same time and authentication plugins should be effective immediately.

Steps To Reproduce

  1. Create a KongConsumer and KongCredential and apply/create deployment.
  2. Make sure both the CRDs are created without any error.
  3. Check cassandra records or try authenticating
  4. Authentication Failed due to “Invalid authentication credentials”

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 5
  • Comments: 21 (9 by maintainers)

Most upvoted comments

An update here: The way consumers and credentials are synced with 0.5.0 have significantly changed in 0.5.0.

I ran the tests ranging up to 4000 consumers and was not successful in reproducing this problem.

Please test it with 0.5.0 (expect at least a release candidate to be out next week) and let us know if you run into this yet again. I’ll leave the issue open for now.

+1
hbagdi on Jun 14, 2019
Read more comments on GitHub
← kubernetes-ingress-controller: Kong Ingress Controller cannot scale beyond a limit
kubernetes-ingress-controller: Nil targets from balancer and service name resolution failed in db-less mode when use named port →